Fix secret key reconstruction when given more than `t` shares

[survived]

There was a bug that giving more than t key shares to the reconstruct_secret_key would produce incorrect secret key. PR fixes the bug and adds tests covering that.

[github-actions[bot]]

Benchmark Result

Benchmarks

```text RUST_TESTS_SEED=7e82936b5368086a9e8da53535349e51f3f98d1f742f3f0b619e045e0c80c33d n = 3 Non-threshold DKG Protocol Performance: - Protocol took 707.51µs to complete In particular: - Setup: 9.30µs - Setup networking: 9.00µs (96.8%) - Unstaged: 300.00ns (3.2%) - Round 1: 179.10µs - Compute execution id: 300.00ns (0.2%) - Sample x_i, rid_i: 78.80µs (44.0%) - Sample schnorr commitment: 71.20µs (39.8%) - Commit to public data: 28.30µs (15.8%) - Unstaged: 500.00ns (0.3%) - Round 2: 4.10µs - Hash received msgs (reliability check): 3.80µs (92.7%) - Unstaged: 300.00ns (7.3%) - Round 3: 400.00ns - Assert other parties hashed messages (reliability check): 100.00ns (25.0%) - Unstaged: 300.00ns (75.0%) - Round 4: 66.50µs - Validate decommitments: 60.70µs (91.3%) - Calculate challege rid: 5.00µs (7.5%) - Prove knowledge of `x_i`: 600.00ns (0.9%) - Unstaged: 200.00ns (0.3%) - Round 5: 448.11µs - Validate schnorr proofs: 447.51µs (99.9%) - Unstaged: 600.00ns (0.1%) Threshold DKG Protocol Performance: - Protocol took 2.05ms to complete In particular: - Setup: 3.70µs - Setup networking: 3.60µs (97.3%) - Unstaged: 100.00ns (2.7%) - Round 1: 283.10µs - Compute execution id: 200.00ns (0.1%) - Sample rid_i, schnorr commitment, polynomial: 251.60µs (88.9%) - Commit to public data: 31.00µs (11.0%) - Unstaged: 300.00ns (0.1%) - Round 2: 4.50µs - Hash received msgs (reliability check): 4.30µs (95.6%) - Unstaged: 200.00ns (4.4%) - Round 3: 400.00ns - Assert other parties hashed messages (reliability check): 100.00ns (25.0%) - Unstaged: 300.00ns (75.0%) - Round 4: 1.29ms - Validate decommitments: 64.80µs (5.0%) - Validate data size: 500.00ns (0.0%) - Validate Feldmann VSS: 530.11µs (41.2%) - Compute rid: 300.00ns (0.0%) - Compute Ys: 634.11µs (49.3%) - Compute sigma: 900.00ns (0.1%) - Calculate challenge: 54.20µs (4.2%) - Prove knowledge of `sigma_i`: 200.00ns (0.0%) - Unstaged: 300.00ns (0.0%) - Round 5: 468.21µs - Validate schnorr proofs: 464.31µs (99.2%) - Derive resulting public key and other data: 2.70µs (0.6%) - Unstaged: 1.20µs (0.3%) Key refresh protocol Protocol Performance: - Protocol took 3.31s to complete In particular: - Setup: 13.50µs - Retrieve auxiliary data: 500.00ns (3.7%) - Setup networking: 10.70µs (79.3%) - Precompute execution id and shared state: 2.20µs (16.3%) - Unstaged: 100.00ns (0.7%) - Round 1: 382.93ms - Retrieve primes (p and q): 200.00ns (0.0%) - Compute paillier decryption key (N): 21.69ms (5.7%) - Generate secret x_i and public X_i: 225.40µs (0.1%) - Generate auxiliary params r, λ, t, s: 5.49ms (1.4%) - Prove Πprm (ψˆ_i): 354.74ms (92.6%) - Compute schnorr commitment τ_j: 245.30µs (0.1%) - Sample random bytes: 300.00ns (0.0%) - Compute hash commitment and sample decommitment: 528.71µs (0.1%) - Unstaged: 300.00ns (0.0%) - Round 2: 4.60µs - Hash received msgs (reliability check): 3.90µs (84.8%) - Unstaged: 700.00ns (15.2%) - Round 3: 500.00ns - Assert other parties hashed messages (reliability check): 400.00ns (80.0%) - Unstaged: 100.00ns (20.0%) - Round 4: 2.05s - Validate round 1 decommitments: 910.81µs (0.0%) - Validate data sizes: 500.00ns (0.0%) - Validate П_prm (ψ_i): 679.83ms (33.2%) - Validate X_i: 21.40µs (0.0%) - Compute paillier encryption keys: 25.30µs (0.0%) - Add together shared random bytes: 4.50µs (0.0%) - Compute П_mod (ψ_i): 1.18s (57.5%) - Assemble security params for П_fac (ф_i): 2.18ms (0.1%) - Compute schnorr proof ψ_i^j: 12.60µs (0.0%) - Prepare auxiliary params and security level for proofs: 400.00ns (0.0%) - Paillier encryption of x_i^j: 46.05ms (2.2%) - Compute П_fac (ф_i^j): 141.75ms (6.9%) - Unstaged: 2.10µs (0.0%) - Round 5: 883.05ms - Paillier decrypt x_j^i from C_j^i: 37.59ms (4.3%) - Validate shares: 163.90µs (0.0%) - Validate schnorr proofs п_j and ψ_j^k: 919.21µs (0.1%) - Validate ψ_j (П_mod): 706.32ms (80.0%) - Validate ф_j (П_fac): 138.03ms (15.6%) - Calculate new x_i: 2.00µs (0.0%) - Calculate new X_i: 9.00µs (0.0%) - Assemble new core share: 600.00ns (0.0%) - Assemble auxiliary info: 2.70µs (0.0%) - Unstaged: 1.10µs (0.0%) Signing protocol Protocol Performance: - Protocol took 2.13s to complete In particular: - Setup: 24.17ms - Map t-out-of-n protocol to t-out-of-t: 7.30µs (0.0%) - Retrieve auxiliary data: 24.16ms (99.9%) - Precompute execution id and security params: 2.00µs (0.0%) - Setup networking: 5.40µs (0.0%) - Unstaged: 200.00ns (0.0%) - Round 1: 158.16ms - Generate local ephemeral secrets (k_i, y_i, p_i, v_i): 40.40µs (0.0%) - Encrypt G_i and K_i: 45.84ms (29.0%) - Prove ψ0_j: 112.28ms (71.0%) - Unstaged: 2.40µs (0.0%) - Round 2: 45.10µs - Hash received msgs (reliability check): 44.90µs (99.6%) - Unstaged: 200.00ns (0.4%) - Round 3: 1.07s - Assert other parties hashed messages (reliability check): 1.30µs (0.0%) - Verify psi0 proofs: 111.54ms (10.5%) - Sample random r, hat_r, s, hat_s, beta, hat_beta: 70.00µs (0.0%) - Encrypt D_ji: 73.15ms (6.9%) - Encrypt F_ji: 66.65ms (6.3%) - Encrypt hat_D_ji: 82.33ms (7.7%) - Encrypt hat_F_ji: 76.91ms (7.2%) - Prove psi_ji: 279.30ms (26.2%) - Prove psiˆ_ji: 268.64ms (25.2%) - Prove psi_prime_ji : 106.90ms (10.0%) - Unstaged: 4.00µs (0.0%) - Round 4: 775.55ms - Retrieve auxiliary data: 9.10µs (0.0%) - Validate psi: 227.40ms (29.3%) - Validate hat_psi: 238.23ms (30.7%) - Validate psi_prime: 103.44ms (13.3%) - Compute Gamma, Delta_i, delta_i, chi_i: 85.71ms (11.1%) - Prove psi_prime_prime: 120.75ms (15.6%) - Unstaged: 1.30µs (0.0%) - Presig output: 102.94ms - Validate psi_prime_prime: 102.76ms (99.8%) - Calculate presignature: 187.00µs (0.2%) - Unstaged: 1.50µs (0.0%) - Partial signing: 13.80µs - Signature reconstruction: 304.50µs ```